[Python-Dev] [Python-checkins] cpython (2.7): Issue 17538: Document XML vulnerabilties (original) (raw)

Ezio Melotti ezio.melotti at gmail.com
Thu Mar 28 23:56:46 CET 2013

Hi,

On Tue, Mar 26, 2013 at 6:53 PM, christian.heimes <python-checkins at python.org> wrote:

http://hg.python.org/cpython/rev/e87364449954 changeset: 82973:e87364449954 branch: 2.7 parent: 82963:d321885ff8f3 user: Christian Heimes <christian at cheimes.de> date: Tue Mar 26 17:53:05 2013 +0100 summary: Issue 17538: Document XML vulnerabilties

[...] diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst new file mode 100644 --- /dev/null +++ b/Doc/library/xml.rst @@ -0,0 +1,131 @@ +.. xml: + +XML Processing Modules +====================== + +.. module:: xml + :synopsis: Package containing XML processing modules +.. sectionauthor:: Christian Heimes <christian at python.org> +.. sectionauthor:: Georg Brandl <georg at python.org> + + +Python's interfaces for processing XML are grouped in the xml package. + +.. warning:: + + The XML modules are not secure against erroneous or maliciously + constructed data. If you need to parse untrusted or unauthenticated data see + :ref:xml-vulnerabilities. + +It is important to note that modules in the :mod:xml package require that +there be at least one SAX-compliant XML parser available. The Expat parser is +included with Python, so the :mod:xml.parsers.expat module will always be +available. + +The documentation for the :mod:xml.dom and :mod:xml.sax packages are the +definition of the Python bindings for the DOM and SAX interfaces. + +The XML handling submodules are: + +* :mod:xml.etree.ElementTree: the ElementTree API, a simple and lightweight

Something is missing here ^

+ +.. + +* :mod:xml.dom: the DOM API definition +* :mod:xml.dom.minidom: a lightweight DOM implementation +* :mod:xml.dom.pulldom: support for building partial DOM trees + +.. + +* :mod:xml.sax: SAX2 base classes and convenience functions +* :mod:xml.parsers.expat: the Expat parser binding + + +.. xml-vulnerabilities: + [...] + +defused packages +---------------- + +defusedxml is a pure Python package with modified subclasses of all stdlib +XML parsers that prevent any potentially malicious operation. The courses of +action are recommended for any server code that parses untrusted XML data.

This last sentence doesn't make much sense to me. Is it even correct?

The +package also ships with example exploits and an extended documentation on more +XML exploits like xpath injection. + +defusedexpat provides a modified libexpat and patched replacment

s/replacment/replacement/

+:mod:pyexpat extension module with countermeasures against entity expansion +DoS attacks. Defusedexpat still allows a sane and configurable amount of entity +expansions. The modifications will be merged into future releases of Python. + +The workarounds and modifications are not included in patch releases as they +break backward compatibility. After all inline DTD and entity expansion are +well-definied XML features.

s/definied/defined/

+ + +.. defusedxml: <https://pypi.python.org/pypi/defusedxml/> +.. defusedexpat: <https://pypi.python.org/pypi/defusedexpat/> +.. Billion Laughs: http://en.wikipedia.org/wiki/Billionlaughs +.. ZIP bomb: http://en.wikipedia.org/wiki/Zipbomb +.. DTD: http://en.wikipedia.org/wiki/DocumentTypeDefinition [...]

Best Regards, Ezio Melotti

More information about the Python-Dev mailing list